[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sat Aug 6 07:13:06 EDT 2011

On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
> Those commits are nothing but a charade. The very least you must do is this:
> 1) ALWAYS force a redirect to https on the AUR login page, never allow
> the login to be submitted unencrypted.

Thought about that. The problem is that there currently isn't a separate
login page. Maybe removing the overall login form and creating a
separate page for that will make things easier.

> 2) Ensure that the cookie is never sent over http, only over https.

We discussed that before, see the other replies. This will be

More information about the aur-general mailing list